{{- define "manager_resources" }}
cpu: 100m
memory: 128Mi
{{- end }}
{{- define "kruise_state_metrics_resources" }}
cpu: 50m
memory: 100Mi
{{- end }}

{{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
---
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: kruise-controller-manager
  namespace: d8-ingress-nginx
  {{- include "helm_lib_module_labels" (list . (dict "app" "kruise" "control-plane" "controller-manager" "workload-resource-policy.deckhouse.io" "master")) | nindent 2 }}
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: kruise-controller-manager
  updatePolicy:
    updateMode: "Auto"
  resourcePolicy:
    containerPolicies:
      - containerName: kruise
        minAllowed:
          {{- include "manager_resources" . | nindent 10 }}
        maxAllowed:
          cpu: 300m
          memory: 512Mi
      - containerName: kruise-state-metrics
        minAllowed:
          {{- include "kruise_state_metrics_resources" . | nindent 10 }}
        maxAllowed:
          cpu: 100m
          memory: 100Mi
      {{- include "helm_lib_vpa_kube_rbac_proxy_resources" . | nindent 6 }}
{{- end }}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: kruise-controller-manager
  namespace: d8-ingress-nginx
  {{- include "helm_lib_module_labels" (list . (dict "app" "kruise")) | nindent 2 }}
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      control-plane: controller-manager
      app: kruise
---
# Source: kruise/templates/manager.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kruise-controller-manager
  namespace: d8-ingress-nginx
  {{- include "helm_lib_module_labels" (list . (dict "app" "kruise" "control-plane" "controller-manager")) | nindent 2 }}
  annotations:
    ingress.deckhouse.io/force-max-unavailable: ""
spec:
  {{- include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" . | nindent 2 }}
  selector:
    matchLabels:
      control-plane: controller-manager
      app: kruise
  minReadySeconds: 3
  revisionHistoryLimit: 2
  template:
    metadata:
      labels:
        control-plane: controller-manager
        app: kruise
    spec:
      {{- include "helm_lib_tolerations" (tuple . "any-node") | nindent 6 }}
      {{- include "helm_lib_node_selector" (tuple . "master") | nindent 6 }}
      {{- include "helm_lib_priority_class" (tuple . "system-cluster-critical") | nindent 6 }}
      {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }}
      imagePullSecrets:
        - name: deckhouse-registry
      containers:
        - args:
            - --enable-leader-election
            - --metrics-addr=:8080
            - --health-probe-addr=:8000
            - --logtostderr=true
            - --leader-election-namespace=d8-ingress-nginx
            - --namespace=d8-ingress-nginx
            - --v=5
            - --feature-gates=ResourcesDeletionProtection=true,PodWebhook=false
            - --sync-period=0
            - --advancedcronjob-workers=0
            - --broadcastjob-workers=0
            - --cloneset-workers=0
            - --crr-workers=0
            - --imagepulljob-workers=0
            - --nodeimage-workers=0
            - --nodepodprobe-workers=0
            - --persistentpodstate-workers=0
            - --podprobemarker-workers=0
            - --podunavailablebudget-workers=0
            - --resourcedistribution-workers=0
            - --sidecarset-workers=0
            - --statefulset-workers=0
            - --uniteddeployment-workers=0
            - --workloadspread-workers=0
            - --leader-election-resource-lock=leases
            - --leader-election-retry-period=10s
            - --leader-election-lease-duration=35s
            - --leader-election-renew-deadline=30s
          command:
            - /manager
          image: {{ include "helm_lib_module_image" (list . "kruise") }}
          imagePullPolicy: IfNotPresent
          name: kruise
          {{- include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . | nindent 10 }}
          env:
            - name: KUBE_CACHE_MUTATION_DETECTOR
              value: "true"
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: WEBHOOK_PORT
              value: "9876"
            - name: WEBHOOK_CONFIGURATION_FAILURE_POLICY_PODS
              value: Ignore
          ports:
            - containerPort: 9876
              name: webhook-server
              protocol: TCP
            - containerPort: 8080
              name: metrics
              protocol: TCP
            - containerPort: 8000
              name: health
              protocol: TCP
          readinessProbe:
            httpGet:
              path: readyz
              port: 8000
          resources:
            requests:
              {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 14 }}
          {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
              {{- include "manager_resources" . | nindent 14 }}
            limits:
              memory: 512Mi
          {{- end }}
        - name: kube-rbac-proxy
          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 10 }}
          image: {{ include "helm_lib_module_common_image" (list . "kubeRbacProxy") }}
          args:
            - "--secure-listen-address=$(KUBE_RBAC_PROXY_LISTEN_ADDRESS):10354"
            - "--v=2"
            - "--logtostderr=true"
            - "--stale-cache-interval=1h30m"
            - "--livez-path=/livez"
          env:
            - name: KUBE_RBAC_PROXY_LISTEN_ADDRESS
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: KUBE_RBAC_PROXY_CONFIG
              value: |
                excludePaths:
                - /healthz
                upstreams:
                - upstream: http://127.0.0.1:8082/
                  path: /
                  authorization:
                    resourceAttributes:
                      namespace: d8-{{ .Chart.Name }}
                      apiGroup: apps
                      apiVersion: v1
                      resource: deployments
                      subresource: kruise-state-metrics
                      name: kruise
          livenessProbe:
            httpGet:
              path: /livez
              port: 10354
              scheme: HTTPS
          readinessProbe:
            httpGet:
              path: /livez
              port: 10354
              scheme: HTTPS
          ports:
            - containerPort: 10354
              name: https-metrics
          resources:
            requests:
              {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 14 }}
          {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
              {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 14 }}
          {{- end }}
        - args:
          - --namespaces=d8-ingress-nginx
          - --port=8082
          - --resources=daemonsets
          - --host=127.0.0.1
          - --logtostderr=true
          - --v=2
          command:
          - /kruise-state-metrics
          image: {{ include "helm_lib_module_image" (list . "kruiseStateMetrics") }}
          imagePullPolicy: IfNotPresent
          name: kruise-state-metrics
          {{- include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . | nindent 10 }}
          livenessProbe:
            httpGet:
              path: /healthz
              port: 10354
              scheme: HTTPS
          readinessProbe:
            httpGet:
              path: /
              port: 8081
          resources:
            requests:
              {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 14 }}
          {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
              {{- include "kruise_state_metrics_resources" . | nindent 14 }}
            limits:
              memory: 100Mi
          {{- end }}
      hostNetwork: false
      terminationGracePeriodSeconds: 10
      serviceAccountName: kruise
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchExpressions:
                    - key: control-plane
                      operator: In
                      values:
                        - controller-manager
                topologyKey: kubernetes.io/hostname
              weight: 100
